Copyright © Tugboat Logic 2021. All rights reserved.

The Ultimate Survival Guide to ISO 27001

GUIDE

“ Being able to achieve ISO 27001 compliance with Tugboat unlocked $6,000,000 in pipeline revenue for us. That’s only just a few clients, but those were clients we literally could not have landed without the Tugboat platform.

Adam Jaggers | CTOXOi Technologies

| Contents

Introduction 1

ISO 27001 Basics 2

A Step-by-Step Guide to ISO 27001 Certification

12

How Tugboat Logic Can Help 19

Conclusion 21

The Ultimate Survival Guide to ISO 27001 | 1

| Introduction

Let’s face it. ISO 27001 isn’t the world’s most exhilarating topic. But that’s not why you’re here. Chances are, your company’s thinking about getting certified and you’ll be a key stakeholder for the project. Naturally, you want to know what ISO 27001 is all about. More than that, you want to set your team up for a successful audit.

This guide is going to reduce the time and money you spend getting certified. Beyond that, it’ll demystify the process so that you can confidently manage your project end to end. Let’s take a look at what we’ll be covering.

1. First, we’ll unpack what ISO 27001 is—minus the unnecessary fluff.

2. Then, we’ll provide you with a step-by-step guide to certification, with practical advice from our team of ex-auditors.

3. Finally, we’ll show you how Tugboat Logic can help you get and stay compliant with less lift.

Okay, enough chit chat. Let’s do this thing.

💡Did You Know?

Demand for ISO 27001 is booming. Certification has increased by 450% over the last ten years.1

1 Baker, Alice. Learn how to implement and maintain an ISO 27001-compliant ISMS with IT Governance. Itgovernance. April 8, 2019.

The Ultimate Survival Guide to ISO 27001 | 2

ISO 27001 Basics

The Ultimate Survival Guide to ISO 27001 | 3

📌 Fun Fact

The ISO 27000 family includes 46 complementary standards. They provide an internationally recognized framework for information security best practices.

| ISO 27001 Basics

By now, you’ve probably read a lot of information about ISO 27001. You might even be more confused about the standard than you were before. That’s totally okay.

The purpose of this section is to explain what ISO 27001 is all about as clearly and concisely as possible.

What Is ISO 27001?

First things first. The full name of the ISO standard is actually ISO/IEC 27001:2013 — Information technology — Security techniques — Information security management systems — Requirements.2

It’s a mouthful, we know. That’s why we just call it ISO 27001.

It’s the only international standard that provides requirements for an information security management system (ISMS). Its main goals are the availability, integrity and confidentiality of sensitive information. Unlike some other frameworks, which focus exclusively on IT, ISO 27001 applies to the entire organization.

If you’re curious about what ISO and IEC stand for, here’s your answer: the International Organization for Standardization and the International Electrotechnical Commission. These organizations both govern ISO/IEC 27001.

2 ISO/IEC 27001:2013(en) Information technology — Security techniques — Information security management systems — Requirements. ISO.org. Accessed April 14, 2020.

The Ultimate Survival Guide to ISO 27001 | 4

📖 Additional Reading

ISO.org breaks down every mandatory clause in ISO 27001.

What Is an Information Security Management System (ISMS)?

Generally speaking, an ISMS is a collection of policies and procedures that help you manage and protect your organization’s sensitive information.

Pretty straightforward, right?

In the context of ISO 27001, there’s a bit more to it.

You see, ISO 27001 has a series of requirements, otherwise known as mandatory clauses, that your organization must meet. Beyond that, it also includes a list of Annex controls. You only need to implement controls that are applicable to you.

That said, you need to provide a justification for why certain controls apply and others don’t. But that’s something you do in your Statement of Applicability, which we’ll cover in more detail later on.

Let’s take a look at the mandatory clauses first.

The 24 Mandatory Clauses

To implement an ISMS that’s ISO 27001 compliant, you need to provide specific documentation, as outlined in clauses 4.1 - 10.2 of the standard. They cover everything from scoping your ISMS (clause 4.3) to conducting internal audits at planned intervals (clause 9.2). None of these clauses are negotiable. You have to complete them all.

The Ultimate Survival Guide to ISO 27001 | 5

💡Did You Know?

ISO 27001 has a list of 114 controls in Annex A of the standard. You only have to implement those that are applicable to your business. However, you must provide a justification for why certain controls apply while others don’t.

The 114 Annex A Controls

You’ll also need to implement all applicable controls from Annex A. Here’s a look at the fourteen categories of controls and what they cover.

● Annex A.5 - Information security policies (2 controls): How policies are written and reviewed.

● Annex A.6 - Organization of information security (7 controls): The assignment of responsibility for specific tasks.

● Annex A.7 - Human resource security (6 controls): Ensuring employees understand their responsibilities before employment.

● Annex A.8 - Asset management (10 controls): Identifying information assets and defining appropriate protection responsibilities.

● Annex A.9 - Access control (14 controls): Ensuring employees can only view data relevant to their position.

● Annex A.10 - Cryptography (2 controls): Encryption and key management of sensitive information.

● Annex A.11 - Physical and environmental security (15 controls): Securing the organization’s premises and equipment.

● Annex A.12 - Operations security (14 controls): Ensuring information processing tools are secure.

● Annex A.13 - Communications security (7 controls): How to protect information in networks.

The Ultimate Survival Guide to ISO 27001 | 6

● Annex A.14 - System acquisition, development, and maintenance (13 controls): Ensuring that information security is a central part of the organization’s systems.

● Annex A.15 - Supplier relationships (5 controls): The agreements to include in contracts with third parties.

● Annex A.16 - Information security incident management (7 controls): How to report disruptions, breaches, and who’s responsible.

● Annex A.17 - Information security aspects of business continuity management (4 controls): How to address business disruptions.

● Annex A.18 - Compliance (8 controls): How to identify the laws and regulations that apply to your organization.

ISO 27001 is more rigorous than, say, SOC 2, and not just because the preparation and audit cycle take longer. It actually requires a lot of documentation. You must provide documentation for its 24 clauses and implement all applicable controls, without exception.

That’s all to say that it can be a tough nut to crack.

📌 Fun Fact

ISO 27001 is based on the Plan-Do-Check-Act cycle (PDCA), which is used to continuously improve processes. Here’s how it applies:

Plan: Establish your ISMS.

Do: Operationalize your ISMS.

Check: Monitor and review your ISMS.

Act: Maintain and improve your ISMS.

The Ultimate Survival Guide to ISO 27001 | 7

Why You Need ISO 27001

In most cases, businesses get ISO 27001 certified because a customer or prospect requires it. But that’s not always the case. Others might be expanding into new markets and require a security framework that’s purpose-built. Finally, some businesses position security as a competitive advantage and ISO 27001 provides excellent security assurance across every jurisdiction.

If you fit into one of the groups mentioned above, ISO 27001 is going to be critical to helping you achieve your goals.

What Does the ISO 27001 Audit Entail?

To get ISO 27001, you need to complete a two-stage external audit.

Stage 1: The Stage 1 audit is often called a “documentation review” audit, because the auditor will review your processes and policies to establish whether they’re in line with the requirements of ISO 27001. They’ll also want to make sure your ISMS has been implemented. Here, they’ll only review your mandatory clauses. Typically, this takes one or two days.

Stage 2: The Stage 2 audit is often referred to as the “Certification Audit”. During a Stage 2 audit, the auditor will conduct a thorough assessment to establish the effectiveness of the ISMS and its compliance with the ISO 27001 standard. The duration of stage two depends entirely on the size and complexity of your organization. When they’re finished, they’ll recommend you for the standard—assuming you passed.

💡Did You Know?

ISO 27001 has a list of 114 controls in Annex A of the standard. You only have to implement those that are applicable to your business. However, you must provide a justification for why certain controls apply while others don’t.

The Ultimate Survival Guide to ISO 27001 | 8

Certification is valid for three years. However, in the two years following your certification, you’ll be required to do surveillance audits to prove you’re still compliant. To be clear, these aren’t pop quizzes. Your auditor will provide you with a scope of what they’ll be reviewing for your surveillance audit.

Finally, in the year following your second surveillance audit, you’ll need to recertify.

💡Did You Know?

You can spend 50% less time getting ISO 27001 certified by using Tugboat Logic’s audit workflow software.

The Ultimate Survival Guide to ISO 27001 | 9

The ISO 27001 Audit Cycle

Documentation Audit

Certification Audit

Year One Surveillance

Audit

Year Two Surveillance

Audit

Recertification Audit

Recertification Cycle

The Ultimate Survival Guide to ISO 27001 | 10

How Long Does It Take to Get ISO 27001?

Short answer: well, it depends.

If you’re an enterprise with multiple offices, you’re likely going to have a longer ISO 27001 journey. That said, having a security team and a compliance program can definitely speed things up. That’s because you probably already have controls in place that are also applicable to ISO 27001. Plus, you have the resources to manage your project.

If you’re a smaller company and you don't have a security program, you can expect it to take longer, since you’ll be starting from scratch. Conversely, if you already have a bunch of controls in place, you’re looking at a much quicker timeline.

As a general rule, the audit itself typically takes between 2 - 6 months to complete. That includes both phases and the remediation of non-conformities, assuming your auditor identifies any.

With audit prep, there’s a lot more variability.

You can get a better sense of how long it’ll take to get certified on the following page.

😁 Customer Quote

“We literally couldn’t have achieved ISO 27001 without Tugboat. We just didn’t have the resources or the expertise, and we couldn’t afford to spend another $150,000 on a consulting firm. It wasn’t viable for us.”

Adam Jaggers | CTOXOi Technologies

The Ultimate Survival Guide to ISO 27001 | 11

ISO 27001 Certification Timeline by Company Size

By Company Size Using Internal Resources or a Contractor

Using Tugboat Logic

10 employees Up to 6 months Up to 3 months

Up to 50 employees 6 - 10 months 3 - 5 months

Up to 200 employees 10 - 14 months 5 - 9 months

More than 200 employees 14 - 18 months 9 - 12 months

The Ultimate Survival Guide to ISO 27001 | 12

A Step-by-Step Guide to ISO 27001 Certification

The Ultimate Survival Guide to ISO 27001 | 13

| A Step-by-Step Guide to ISO 27001 | Certification

Step 1: Learn About ISO 27001

Congrats, you’re already completing this step just by reading this guide. ISO 27001 can seem really complicated, especially when you look at all the conflicting information online.

But it doesn’t have to be. If you need help finding your footing and would like to speak with someone who knows the ins and outs of the standard, don’t hesitate to contact us. One of our ISO 27001 pros would be happy to answer any and all questions you might have.

Step 2: Assemble a Dream Team

Next, you’ll want to assign a project manager and project sponsor. Your project manager is responsible for implementing your ISO 27001 ISMS. The sponsor should be invested in the project’s success. They’ll ensure it gets executive buy-in and have the authority to move things along. You may fit into either of these two roles.

If you’re a larger business, you might have a dedicated security team. In that case, your CISO might sponsor an ISO 27001 project that a security practitioner manages. We’ve worked with smaller startups where the CEO fills the sponsor role while a project manager handles execution on the ground.

The Ultimate Survival Guide to ISO 27001 | 14

Step 3: Find an Auditor

You’re probably thinking: “Hold up, isn’t it a bit early in the game to be looking for an auditor?”

Most definitely not.

Think about it this way. You’re going to be spending plenty of time with your auditor. You owe it to yourself and your business to choose someone who’s easy to collaborate with. Here are some questions to consider:

● What kind of reputation do they have?● What’s their experience conducting ISO 27001 audits?● What kind of personality do they have? ● How are their communication skills?● How expensive are they?● What’s their availability?● How responsive are they? ● What does their approach look like?

If you’re looking for more guidance on choosing an auditor, we wrote a whole article on the topic. You can read it here.

One important point to remember. While it’s easy to villainize your auditor, they really do want to see you succeed. In fact, during your ISO 27001 audit, they’ll give you a number of opportunities to fix non-conformities. They’ll also provide you with feedback and advice. They are a resource. So, be sure to use them.

🔥 Hot Tip

Asking a potential auditor the right questions up front ensures that there won’t be any unwelcome surprises later on.

The Ultimate Survival Guide to ISO 27001 | 15

Step 4: Define Your ISMS Scope

This step will determine the breadth and depth of your ISMS. Here, you’ll need to identify where sensitive information is stored, including physical and digital files on all your systems or portable devices. That means you’ll have to work cross-functionally. Try to be strategic by focusing on individuals in other departments who know their systems, information and level of risk. They’ll enable you to accurately scope and ensure your ISMS aligns with your overarching strategy.

Step 5: Conduct Your Risk Assessment

The risk assessment is a critical component of ISO 27001. It’s covered in clause 8.2 of the standard. As such, the entire process must be planned and documented, including the data, analysis and results.

ISO 27001 doesn’t have a prescribed risk assessment methodology. So, how you do it, is totally up to you. Keep in mind, you’ll need documentation that outlines:

● How you conducted your risk assessment

● A list of your information assets

● Risks associated with your information assets

● The tolerance your organization has for these risks (with an associated risk score that is consistent across your organization)

The Ultimate Survival Guide to ISO 27001 | 16

🔑 Critical Keywords

The Statement of Applicability (SoA) is a summary of your business’ position on all 114 controls in Annex A of the ISO 27001 standard. In it, you clarify which controls you did and didn’t implement and provide a justification for why.

● How you intend on treating these risks by either:

○ Mitigating the risk: Implementing controls to reduce the possibility of occurrence.

○ Avoiding the risk: Ceasing any activity that creates the risk.

○ Transferring the risk: Using a third-party and outsourcing security efforts or purchasing cyber insurance to ensure you have funds in the event of a breach.

○ Accepting the risk: Accepting the risk and considering the cost of treating it greater than possible damage.

Each risk must have an owner who is responsible for approving your risk treatment plan.

Again, you must document everything, including how you intend on treating each of your identified risks.

Step 6: Implement Controls and Mitigate Risks

At this point, you’ll know exactly what your risk exposure is. That means it’s time to produce a Statement of Applicability and a Risk Treatment Plan. These are mandatory reports. They also provide evidence that you conducted a risk assessment.

Your Statement of Applicability (SoA) includes all 114 controls listed in Annex A. Again, some of these controls might not be applicable to you. For instance, there are a number of controls that must be implemented in a physical office environment to control unauthorized access to sensitive information.

The Ultimate Survival Guide to ISO 27001 | 17

One in particular, A.11.1.6, is concerned with delivery and loading areas. If your business doesn’t have a delivery or loading area, then this control wouldn’t be applicable to you.

In your justification, you’d simply note that the control wasn’t applicable. Then, you'd justify why you didn’t implement it. For the example above, it would be because your business doesn’t have a delivery and loading area. You also need to justify every control you implement and how it mitigates potential risks.

Now for your Risk Treatment Plan. This document outlines your risks and how you’ll treat them.

In most cases, you’ll be mitigating your risks. That is, putting controls in place to prevent them from happening. But this won’t always be true. There might be opportunities for you to avoid certain risks or even outsource them.

Step 7: Train Your Team

As you start implementing controls and involving more of your team in the ISO 27001 process, you’re going to have to train them. The reality is that your new ISMS will require a new way of working and that will impact everyone.

Whether it’s idle workstation locks or a new clean desk policy, everyone is going to have to do their part. But it shouldn’t be complicated. Thankfully, there are plenty of security awareness programs out there with an ISO 27001 flavor. These can automate the process and get your team up to speed fast.

🔑 Critical Keywords

The Risk Treatment Plan is a document in which you outline how your organization will respond to all risks that were identified in your risk assessment.

The Ultimate Survival Guide to ISO 27001 | 18

Step 8: Review Your Required Documentation

Here’s where the 24 mandatory clauses come into play. You’ll want to review all required ISO 27001 documentation and update any policies or procedures that need to be changed. Thankfully, much of this documentation exists in templates online. Here’s an example of an Information Security Policy our Labs team put together, just to get you started. It is a requirement for clause 5.2 of the ISO 21007 standard.

Step 9: Measure, Monitor, Review

You need to continually analyze and review the performance of your ISMS to ensure it’s effective and compliant. Also, try to look for ways to improve your processes and controls. Your ISMS isn’t something you can set and forget. It should change with your organization.

Step 10: Conduct an Internal Audit

Running internal audits at planned intervals is a requirement of ISO 27001 (clause 9.2). It’s also best practice—especially if you’re about to do the real deal. The whole process is formalized, per the standard. As such, it requires documentation. One pointer. To save yourself potential headaches in the future, make sure you schedule your internal audits when business is likely to be slow.

Step 11: Get Certified 🏆

The Ultimate Survival Guide to ISO 27001 | 19

How Tugboat Logic Can Help

The Ultimate Survival Guide to ISO 27001 | 20

| How Tugboat Logic Can Help

💡Did You Know?

Tugboat Logic’s audit workflow software can reduce audit readiness costs by up to 60%.

If ISO 27001 has you feeling overwhelmed, that’s totally okay. As we mentioned earlier, your auditor is a wealth of knowledge. Consultants can support your journey to certification too, if that’s the right path for you.

We can also help. We’ve built the first end-to-end ISO 27001 solution. It makes certification as easy as possible. Here’s how we do it.

● Readiness Project Scoping Survey: We help you define your ISMS scope by having you answer a few questions about your business.

● Risk Assessment Module: Our platform integrates threats and vulnerabilities from your Risk Assessment into the SoA Module, ensuring your ISMS documents are always in sync.

● Automated SoA Module: We provide recommended justifications for all 114 Annex A controls, real-time implementation statuses and a streamlined SoA review process.

● Policies and Procedures: Create your own policies and procedures or leverage Tugboat Logic’s library of pre-written content.

● ISO 27001 Checklist: Track how you’re doing and tie up any loose ends before you get audited. That way, you can rest assured that you’ll have the best possible outcome.

● ISO 27001 Experience: Help when you need it from our team of ex-auditors and compliance experts.

The Ultimate Survival Guide to ISO 27001 | 21

| Conclusion

The objective of this guide was a bold one: to reduce the time and money you spend getting certified. We set out to demystify ISO 27001 and provided a roadmap to help you navigate the process.

Hopefully, we have accomplished all of these things and you’re now ready to kickstart your project with confidence. If so, you’re probably wondering what to do next. Here are three suggestions:

1. Talk to us. Our team of ISO 27001 experts would love to help you in any way they can.

2. Start shopping for an auditor who will be able to guide you through the process.

3. Get a free demo of our ISO 27001 audit workflow solution.

You'll get through this. And you'll come out the other side stronger, more secure, more confident and ready to become the vendor of choice for today's most discerning customers.

Good luck 😁

| About Tugboat LogicTugboat Logic is the Security Assurance Platform that provides continuous compliance. It uses automated technology to demystify the process of creating and managing an InfoSec program. With Tugboat Logic, companies can quickly get secure and prove it to customers. Powered by AI, Tugboat Logic’s patent-pending technology automates InfoSec policy creation, audit readiness, and security questionnaire response so companies can gain trust with customers and sell more. Tugboat Logic helps businesses prepare for audits in half the time and at a fraction of the cost, ensures they can respond to security questionnaires in minutes (not hours), and builds and scales their InfoSec plan in minutes.

| Start Selling More TodayInterested in turning your security and compliance program into a business advantage? Get a free trial or contact one of our representatives at info@tugboatlogic.com.

Copyright © Tugboat Logic 2021. All rights reserved.